You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The problem I am trying to solve is the fact that we cannot activate OTP MFA for the admin Keycloak account without breaking the config CLI functionality.
By default, the CLI authenticates using password grant, but when multifactor authentication is added on top of it, the service can no longer authenticate.
What is the feature you are proposing to solve the problem?
In the CLI documentation, there is mention of using client credentials as opposed to password, but for this, a client secret and service account needs to be created for the admin_cli client. This can be done in the admin console of course, but is it possible to initialize the helm chart with it already in place?
It's a "chicken and the egg" problem. We can configure our .yaml with a keycloakConfigCli.configuration block, defining the admin_cli client with the necessary attributes, but a basic password grant is required for this to work initially. After the first run, we then need to rewrite the .yaml to specify that the CLI will be authenticating using client credentials from then on. Preferably, we want to be able to create the desired state in one shot.
What alternatives have you considered?
If it isn't possible to configure the bitnami/keycloak chart in this way, is there any advice for creating the desired state using init containers, or other methods?
Thanks!
The text was updated successfully, but these errors were encountered:
a-priestley
changed the title
Initialize Helm Deployment With Client Credentials Grant For Config CLI
[bitnami/keycloak] Initialize Helm Deployment With Client Credentials Grant For Config CLI
Oct 5, 2024
Name and Version
bitnami/keycloak 23.0.0
What is the problem this feature will solve?
The problem I am trying to solve is the fact that we cannot activate OTP MFA for the admin Keycloak account without breaking the config CLI functionality.
By default, the CLI authenticates using password grant, but when multifactor authentication is added on top of it, the service can no longer authenticate.
What is the feature you are proposing to solve the problem?
In the CLI documentation, there is mention of using client credentials as opposed to password, but for this, a client secret and service account needs to be created for the admin_cli client. This can be done in the admin console of course, but is it possible to initialize the helm chart with it already in place?
It's a "chicken and the egg" problem. We can configure our .yaml with a
keycloakConfigCli.configuration
block, defining the admin_cli client with the necessary attributes, but a basic password grant is required for this to work initially. After the first run, we then need to rewrite the .yaml to specify that the CLI will be authenticating using client credentials from then on. Preferably, we want to be able to create the desired state in one shot.What alternatives have you considered?
If it isn't possible to configure the bitnami/keycloak chart in this way, is there any advice for creating the desired state using init containers, or other methods?
Thanks!
The text was updated successfully, but these errors were encountered: